The first line of defense against cybercriminals

Employee training is vital to thwarting cyber attacks: ©Hixel - stock.adobe.com

Medical practices and health care facilities are a preferred target of hackers because of the amount of personal information contained in medical records. These records can be taken hostage via ransomware, forcing a practice to either pay the ransom to get their data back or risk having the sensitive information sold on the dark web.

Although news stories focus on the infiltration of large health care companies, even a small medical practice likely has thousands of records, making it a target. As larger companies increase their security, smaller practices with their less sophisticated information technology (IT) systems are becoming more attractive targets.

One step a practice can take to protect itself is to make sure its employees are properly trained to recognize common hacker tricks. Medical Economics spoke with Erich Kron, a security awareness advocate for cybersecurity training firm KnowBe4, about the threat of hackers and what can be done to stop them. (Note: The transcript has been edited for length and clarity.)

Medical Economics: Why do hackers target medical practices, even the smaller ones?

Erich Kron: The interesting thing about medical practices is we deal with a lot of sensitive patient information, even [with] the smaller ones. Well, bad actors these days have really figured out how to monetize that and use that information. [They do it] to make themselves money, whether it’s through extortion-type things that we hear about [like] ransomware, where they steal a copy of that data and then they want to charge somebody to not leak it, or [it’s] some of these really bad cases [where] we’ve had them actually go to the patients and say, “Hey, if you don’t want your before-and-after plastic surgery pictures leaked on the internet, we better get paid for this sort of thing.” This puts a lot of pressure on those offices, the clinics, whoever it is that’s been a part of this. So this is … one of those major issues that we’ve had, and unfortunately the smaller clinics do not have the money to hire a full-time security person. It’s usually somebody who’s hired out through another firm or something like that. And hackers know you’re trying to do things like run your practice and that security isn’t your top thing. They know that it’s more likely to have things not patched and maybe not be quite as secure as it possibly could be.

Medical Economics: What are the most common ways that hackers gain access to a medical practice’s network?

Kron: The first one, believe it or not, is age-old email phishing. It still drives me a little bit crazy that here we are in 2024 and it’s something that we’ve been dealing with since the 1990s, but it is still a thing. It’s very, very lucrative for them, and they do a good job. It falls under the umbrella of social engineering. And while I say email phishing is … the No. 1 thing, it also includes things that we’ve seen recently [such as] what we call vishing, which is phone calls. These people will call up and they’ll say, “Hey, this is your IT group. I need to make sure that we have your [correct] password.” And they get somebody to give them a password over the phone or [through] text messages, which we call smishing, for Short Message Service text. Those sorts of things are still incredibly common and valuable assets to these people, and they’re good at it. That’s the thing that people don’t understand … they are good at doing this, they’re really good at talking people into it.

The No. 2 way that this tends to happen is [through] unpatched software and devices. Unfortunately, there [are] patches that we hear about, and it’s the little thing that pops up in the corner of our browser that says update. But it’s kind of hard to do that because you’re in the middle of trying to do things and there never seems to be time to patch these vulnerabilities. Unfortunately, these patches plug the vulnerabilities that the bad actors use to get into the software, and sometimes once they get into your network, they’re going to exploit those vulnerabilities to move around and actually steal the data.

Medical Economics: What are the ramifications when they gain access to your network? Is it a matter of simply taking your data hostage?

Kron: Some of them, like I mentioned earlier, use ransomware. And that’s where they encrypt as much data as they can find –– the stuff that you need to run the office –– and we all know that without the medical records, it’s … hard to treat patients. That causes all kinds of problems, so they may go that route and then charge you to decrypt the files or give you the password or the key to decrypt the files. This happens all the time. Unfortunately, some groups have actually been skipping the whole process of doing the encryption where they lock your files down. They’re stealing a copy of that data and extorting organizations, saying, “If you don’t give us this money, we’re going to go ahead and put this on the internet.” And it could be employee records, it could be patient files, it could be basically anything sensitive they get their hands on. Another thing that happens, though, is there are actually people out there called initial network access brokers. What they’ll do is they get into a network like this, and they don’t do anything, but then they sell that access to someone else that’s going to come in and try other things. They may plant malware, they may do all kinds of stuff in there that you’re not really aware of. It’s very quiet and peaceful until it’s not, unfortunately.

Medical Economics: You mentioned hackers taking your data for ransom and forcing you to pay for a key. When someone pays to release the data, how often do they actually get the data back?

Kron: The truth is, most of the time you will get most of your data back. Often what happens is some portion of it gets damaged while they’re quickly trying to do this encryption. And keep in mind, we use encryption every day, right? We secure our bank transactions and network transactions and things with it. But there are things put in place to make sure that if errors occur before the original is wiped out, it’s fixed. When these bad actors are doing this, they’re going as fast as they possibly can and they skip a lot of those steps. What happens is, if you [were to] pay them––because it’s a reputation-based business, if you want to call it that—[and] they didn’t give you your data back, nobody would ever pay the ransom. So they tend to be pretty good at that, and they even have really good tech support for some of these groups to help you out –– and I’m not kidding, it’s crazy. But they will end up returning that, but sometimes things are damaged; sometimes they didn’t get it all. So most of the time you’ll get most of your data back.

Medical Economics: Why is employee training on cybersecurity an important part of protecting a practice’s medical network, and is it effective?

Kron: The number one way this happens over and over again is social engineering. It’s the human part; it’s exploiting a person, it’s getting them to click on a link. It’s getting them to give up a password or even have poor practices with passwords –– things like reusing passwords across a whole bunch of different platforms. Then the one over here gets breached, and they have tools that will try it in other places. Password reuse is a big thing, and education and training helps with that too. But because it’s such a big and effective initial attack vector that they use, getting people to understand it, to be able to spot these phishing emails and, quite frankly, think about it are some of the more powerful, important things you can do. Training is very effective with that, especially if you do it often. It keeps their mindset going, [as in,] “Oh, this is a problem. OK, cool. I’ve heard about this, I’ve seen this.” It … triggers that in the back of our heads that … something’s off.

Now, what I’ll never say is that it’s going to stop everything. Because all security controls, whether they’re technical controls or whether they’re human controls, they’re all done in a layered format because nothing’s 100% effective. In other words, you can’t train people and expect nobody will ever click on a phishing link. The idea is I would much rather have one person do it every six months and be able to recover from that than have somebody do it once a week or once a month on that scale. And the other thing about it is, it tends to be very cost-effective compared to a lot of the security controls and technical controls that we see out there that, frankly, aren’t always tackling the problems that especially smaller clinics and offices are going to face.

Medical Economics: What does a typical training program look like? How much time is involved on the administration side and the employee side?

Kron: As far as the training and education piece goes, we actually like to pair training with the simulated attacks. And I’ll tell you why that works. The training is great –– you go in, you get educated and learn about these things, right? But does that end it? You don’t have a pilot go to school to learn to fly and then just get in a plane; they need to practice things. That’s what the simulated part is about. It’s not about making them feel bad, it’s about giving them a chance to practice what they learned in the training in a place where if they mess up, it’s not a big deal. So it’s important to put those together. Now, it sounds like a lot of work, but for the good training platforms a lot of that stuff is automated. We even have AI [artificial intelligence] things that go in and they will help figure out what training people may need or what kind of simulated phishing things to send them. We really worked hard on making sure that it’s low effort for the admins, so what I see is, for the most part, maybe a few hours a month is spent going in checking the reports, making sure what’s going on and just … double-checking things or if they want to add a couple things to it. It’s not that much of a lift.

Now, on the employee side, that’s always a tricky one, because people come to work and they’re working, right? We can’t spend a whole lot of time [on this]. Well what’s happened in the past is, unfortunately, a lot of places have set aside … one hour a year, and they stuffed everybody into a break room and they go, “OK, here’s training, here’s education [and] by the way, be secure.” And we know that doesn’t work. That’s a waste of an hour to be honest with you. It may work for a couple of weeks or whatever. What I like to see happen is more, shorter trainings. So instead of doing 60 minutes at once, maybe we do 15 minutes a quarter and we do it on something that’s relevant to the time frame. Like right now, there [are] going to be tax scams. There [are] going to be people after W-2s and things like that. Or even better yet, I like to see … five minutes a month. That way, they’re constantly being reminded and it’s broken up over more time. They will continue to learn because it hasn’t been so long between trainings. That’s what I find is really, really successful –– the smaller sessions presented more often.

Medical Economics: What else do you think physicians need to know about cybersecurity training?

Kron: I think it’s important to consider the human side of security, and to understand that it doesn’t matter how big or small your practice is, you’re going to be on a list somewhere. I’ve talked to a number of physicians and they [say], “Oh, I’m just a one-person shop here. I’m never going to be a target.” Unfortunately, in this digital age, where all this information is being pulled from different places, it’s scraped off the internet and off websites and it’s just put in these big lists.

Computers, including AI-type stuff, will go through and build up this list of targets, and then they use automatic tools and start sending them out to everybody. It’s not a lot of work for these bad actors to do this. It doesn’t matter whether you’re big or small. If you’re a small office and they can get you to pay $20,000 or $30,000 to get your data back or to protect your patients’ privacy, that’s money in the bank to them. If they end up getting a big place where it’s a $1 million or $2 million ransom demand, that’s great for them too. But either way, it was basically the same amount of effort most of the time.

So don’t think you’re too small. Don’t think that nobody knows you or that you don’t have information that’s going to be valuable to them. Because even if you think you don’t have patient information that’s valuable, what about your employees? What about their payroll information [and] Social Security information that you are going to have there, and your HR [human resources] systems and other stuff like that that you [must] have to run the organization? You don’t want to put them at risk either.